There are many, many, many protections available. The key is: Assessing your target audience, and what they’re willing to put up with Understanding your audience’s desire to play with no pay Assessing the amount someone is willing to put forth to break your protection Applying just enough protection to prevent most people from avoiding payment, … Read more
The point of rainbow tables is that they’re created in advance and distributed en masse to save calculation time for others – it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what’s being done when generating rainbow tables is pre-running … Read more
Quoting the HTTPS RFC: When the TLS handshake has finished. The client may then initiate the first HTTP request. All HTTP data MUST be sent as TLS “application data”. Essentially, the secure SSL/TLS channel is established first. Only then the HTTP protocol is used. This will protect all the HTTP traffic with SSL, including HTTP … Read more
No. Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS attacks. For instance, consider server-generated client-side javascript – the server dynamically outputs htmlencoded values directly into the client-side javascript, htmlencode will not stop injected script from executing. Next, consider the following pseudocode: … Read more
Single sign-on (SSO) is conceptually pretty simple. User hits domain1.com. domain1.com sees there’s no session cookie. domain1.com redirects to sso.com sso.com presents login page, and take credentials sso.com sets session cookie for the user sso.com then redirects back to domain1 to a special url (like domain1.com/ssologin) the ssologin URL contains a parameter that is basically … Read more
Below are the steps to do revoke your JWT access token: When you do log in, send 2 tokens (Access token, Refresh token) in response to the client. The access token will have less expiry time and Refresh will have long expiry time. The client (Front end) will store refresh token in his local storage … Read more
Here’s something relevant from the Fetch spec (which defines CORS): Basic safe CORS protocol setup For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe. (This is the reason why the CORS protocol had to be invented.) However, otherwise using the following header … Read more
No, you cannot reverse SHA-1, that is exactly why it is called a Secure Hash Algorithm. What you should definitely be doing though, is include the message that is being transmitted into the hash calculation. Otherwise a man-in-the-middle could intercept the message, and use the signature (which only contains the sender’s key and the timestamp) … Read more
Man-in-the-middle attacks on SSL are really only possible if one of SSL’s preconditions is broken, here are some examples; The server key has been stolen – means the attacker can appear to be the server, and there is no way for the client to know. The client trusts an untrustworthy CA (or one that has … Read more
There’s a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015. I tested it and it’s working on both Windows 7 and Mavericks. I’ll guide you throught the steps to get it working. 1) Getting the extension You can either download the … Read more